1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Kernel Probes (KProbes)
5 * Copyright (C) IBM Corporation, 2002, 2004
7 * 2002-Oct Created by Vamsi Krishna S <vamsi_krishna@in.ibm.com> Kernel
8 * Probes initial implementation ( includes contributions from
10 * 2004-July Suparna Bhattacharya <suparna@in.ibm.com> added jumper probes
11 * interface to access function arguments.
12 * 2004-Oct Jim Keniston <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
13 * <prasanna@in.ibm.com> adapted for x86_64 from i386.
14 * 2005-Mar Roland McGrath <roland@redhat.com>
15 * Fixed to handle %rip-relative addressing mode correctly.
16 * 2005-May Hien Nguyen <hien@us.ibm.com>, Jim Keniston
17 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
18 * <prasanna@in.ibm.com> added function-return probes.
19 * 2005-May Rusty Lynch <rusty.lynch@intel.com>
20 * Added function return probes functionality
21 * 2006-Feb Masami Hiramatsu <hiramatu@sdl.hitachi.co.jp> added
22 * kprobe-booster and kretprobe-booster for i386.
23 * 2007-Dec Masami Hiramatsu <mhiramat@redhat.com> added kprobe-booster
24 * and kretprobe-booster for x86-64
25 * 2007-Dec Masami Hiramatsu <mhiramat@redhat.com>, Arjan van de Ven
26 * <arjan@infradead.org> and Jim Keniston <jkenisto@us.ibm.com>
27 * unified x86 kprobes code.
29 #include <linux/kprobes.h>
30 #include <linux/ptrace.h>
31 #include <linux/string.h>
32 #include <linux/slab.h>
33 #include <linux/hardirq.h>
34 #include <linux/preempt.h>
35 #include <linux/sched/debug.h>
36 #include <linux/perf_event.h>
37 #include <linux/extable.h>
38 #include <linux/kdebug.h>
39 #include <linux/kallsyms.h>
40 #include <linux/ftrace.h>
41 #include <linux/kasan.h>
42 #include <linux/moduleloader.h>
43 #include <linux/objtool.h>
44 #include <linux/vmalloc.h>
45 #include <linux/pgtable.h>
47 #include <asm/text-patching.h>
48 #include <asm/cacheflush.h>
50 #include <linux/uaccess.h>
51 #include <asm/alternative.h>
53 #include <asm/debugreg.h>
54 #include <asm/set_memory.h>
58 DEFINE_PER_CPU(struct kprobe *, current_kprobe) = NULL;
59 DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
61 #define stack_addr(regs) ((unsigned long *)regs->sp)
63 #define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\
64 (((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) | \
65 (b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) | \
66 (b8##UL << 0x8)|(b9##UL << 0x9)|(ba##UL << 0xa)|(bb##UL << 0xb) | \
67 (bc##UL << 0xc)|(bd##UL << 0xd)|(be##UL << 0xe)|(bf##UL << 0xf)) \
70 * Undefined/reserved opcodes, conditional jump, Opcode Extension
71 * Groups, and some special opcodes can not boost.
72 * This is non-const and volatile to keep gcc from statically
73 * optimizing it out, as variable_test_bit makes gcc think only
74 * *(unsigned long*) is used.
76 static volatile u32 twobyte_is_boostable[256 / 32] = {
77 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
78 /* ---------------------------------------------- */
79 W(0x00, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0) | /* 00 */
80 W(0x10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1) , /* 10 */
81 W(0x20, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) | /* 20 */
82 W(0x30, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 30 */
83 W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
84 W(0x50, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) , /* 50 */
85 W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1) | /* 60 */
86 W(0x70, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1) , /* 70 */
87 W(0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) | /* 80 */
88 W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
89 W(0xa0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) | /* a0 */
90 W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1) , /* b0 */
91 W(0xc0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1) | /* c0 */
92 W(0xd0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) , /* d0 */
93 W(0xe0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1) | /* e0 */
94 W(0xf0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0) /* f0 */
95 /* ----------------------------------------------- */
96 /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
100 struct kretprobe_blackpoint kretprobe_blacklist[] = {
101 {"__switch_to", }, /* This function switches only current task, but
102 doesn't switch kernel stack.*/
103 {NULL, NULL} /* Terminator */
106 const int kretprobe_blacklist_size = ARRAY_SIZE(kretprobe_blacklist);
108 static nokprobe_inline void
109 __synthesize_relative_insn(void *dest, void *from, void *to, u8 op)
111 struct __arch_relative_insn {
116 insn = (struct __arch_relative_insn *)dest;
117 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
121 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
122 void synthesize_reljump(void *dest, void *from, void *to)
124 __synthesize_relative_insn(dest, from, to, JMP32_INSN_OPCODE);
126 NOKPROBE_SYMBOL(synthesize_reljump);
128 /* Insert a call instruction at address 'from', which calls address 'to'.*/
129 void synthesize_relcall(void *dest, void *from, void *to)
131 __synthesize_relative_insn(dest, from, to, CALL_INSN_OPCODE);
133 NOKPROBE_SYMBOL(synthesize_relcall);
136 * Returns non-zero if INSN is boostable.
137 * RIP relative instructions are adjusted at copying time in 64 bits mode
139 int can_boost(struct insn *insn, void *addr)
141 kprobe_opcode_t opcode;
145 if (search_exception_tables((unsigned long)addr))
146 return 0; /* Page fault may occur on this address. */
148 /* 2nd-byte opcode */
149 if (insn->opcode.nbytes == 2)
150 return test_bit(insn->opcode.bytes[1],
151 (unsigned long *)twobyte_is_boostable);
153 if (insn->opcode.nbytes != 1)
156 for_each_insn_prefix(insn, i, prefix) {
159 attr = inat_get_opcode_attribute(prefix);
160 /* Can't boost Address-size override prefix and CS override prefix */
161 if (prefix == 0x2e || inat_is_address_size_prefix(attr))
165 opcode = insn->opcode.bytes[0];
168 case 0x62: /* bound */
169 case 0x70 ... 0x7f: /* Conditional jumps */
170 case 0x9a: /* Call far */
171 case 0xc0 ... 0xc1: /* Grp2 */
172 case 0xcc ... 0xce: /* software exceptions */
173 case 0xd0 ... 0xd3: /* Grp2 */
174 case 0xd6: /* (UD) */
175 case 0xd8 ... 0xdf: /* ESC */
176 case 0xe0 ... 0xe3: /* LOOP*, JCXZ */
177 case 0xe8 ... 0xe9: /* near Call, JMP */
178 case 0xeb: /* Short JMP */
179 case 0xf0 ... 0xf4: /* LOCK/REP, HLT */
180 case 0xf6 ... 0xf7: /* Grp3 */
181 case 0xfe: /* Grp4 */
182 /* ... are not boostable */
184 case 0xff: /* Grp5 */
185 /* Only indirect jmp is boostable */
186 return X86_MODRM_REG(insn->modrm.bytes[0]) == 4;
193 __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
198 kp = get_kprobe((void *)addr);
199 faddr = ftrace_location(addr);
201 * Addresses inside the ftrace location are refused by
202 * arch_check_ftrace_location(). Something went terribly wrong
203 * if such an address is checked here.
205 if (WARN_ON(faddr && faddr != addr))
208 * Use the current code if it is not modified by Kprobe
209 * and it cannot be modified by ftrace.
215 * Basically, kp->ainsn.insn has an original instruction.
216 * However, RIP-relative instruction can not do single-stepping
217 * at different place, __copy_instruction() tweaks the displacement of
218 * that instruction. In that case, we can't recover the instruction
219 * from the kp->ainsn.insn.
221 * On the other hand, in case on normal Kprobe, kp->opcode has a copy
222 * of the first byte of the probed instruction, which is overwritten
223 * by int3. And the instruction at kp->addr is not modified by kprobes
224 * except for the first byte, we can recover the original instruction
225 * from it and kp->opcode.
227 * In case of Kprobes using ftrace, we do not have a copy of
228 * the original instruction. In fact, the ftrace location might
229 * be modified at anytime and even could be in an inconsistent state.
230 * Fortunately, we know that the original code is the ideal 5-byte
233 if (copy_from_kernel_nofault(buf, (void *)addr,
234 MAX_INSN_SIZE * sizeof(kprobe_opcode_t)))
238 memcpy(buf, x86_nops[5], 5);
241 return (unsigned long)buf;
245 * Recover the probed instruction at addr for further analysis.
246 * Caller must lock kprobes by kprobe_mutex, or disable preemption
247 * for preventing to release referencing kprobes.
248 * Returns zero if the instruction can not get recovered (or access failed).
250 unsigned long recover_probed_instruction(kprobe_opcode_t *buf, unsigned long addr)
252 unsigned long __addr;
254 __addr = __recover_optprobed_insn(buf, addr);
258 return __recover_probed_insn(buf, addr);
261 /* Check if paddr is at an instruction boundary */
262 static int can_probe(unsigned long paddr)
264 unsigned long addr, __addr, offset = 0;
266 kprobe_opcode_t buf[MAX_INSN_SIZE];
268 if (!kallsyms_lookup_size_offset(paddr, NULL, &offset))
271 /* Decode instructions */
272 addr = paddr - offset;
273 while (addr < paddr) {
277 * Check if the instruction has been modified by another
278 * kprobe, in which case we replace the breakpoint by the
279 * original instruction in our buffer.
280 * Also, jump optimization will change the breakpoint to
281 * relative-jump. Since the relative-jump itself is
282 * normally used, we just go through if there is no kprobe.
284 __addr = recover_probed_instruction(buf, addr);
288 ret = insn_decode_kernel(&insn, (void *)__addr);
293 * Another debugging subsystem might insert this breakpoint.
294 * In that case, we can't recover it.
296 if (insn.opcode.bytes[0] == INT3_INSN_OPCODE)
301 return (addr == paddr);
305 * Copy an instruction with recovering modified instruction by kprobes
306 * and adjust the displacement if the instruction uses the %rip-relative
307 * addressing mode. Note that since @real will be the final place of copied
308 * instruction, displacement must be adjust by @real, not @dest.
309 * This returns the length of copied instruction, or 0 if it has an error.
311 int __copy_instruction(u8 *dest, u8 *src, u8 *real, struct insn *insn)
313 kprobe_opcode_t buf[MAX_INSN_SIZE];
314 unsigned long recovered_insn = recover_probed_instruction(buf, (unsigned long)src);
317 if (!recovered_insn || !insn)
320 /* This can access kernel text if given address is not recovered */
321 if (copy_from_kernel_nofault(dest, (void *)recovered_insn,
325 ret = insn_decode_kernel(insn, dest);
329 /* We can not probe force emulate prefixed instruction */
330 if (insn_has_emulate_prefix(insn))
333 /* Another subsystem puts a breakpoint, failed to recover */
334 if (insn->opcode.bytes[0] == INT3_INSN_OPCODE)
337 /* We should not singlestep on the exception masking instructions */
338 if (insn_masking_exception(insn))
342 /* Only x86_64 has RIP relative instructions */
343 if (insn_rip_relative(insn)) {
347 * The copied instruction uses the %rip-relative addressing
348 * mode. Adjust the displacement for the difference between
349 * the original location of this instruction and the location
350 * of the copy that will actually be run. The tricky bit here
351 * is making sure that the sign extension happens correctly in
352 * this calculation, since we need a signed 32-bit result to
353 * be sign-extended to 64 bits when it's added to the %rip
354 * value and yield the same 64-bit result that the sign-
355 * extension of the original signed 32-bit displacement would
358 newdisp = (u8 *) src + (s64) insn->displacement.value
360 if ((s64) (s32) newdisp != newdisp) {
361 pr_err("Kprobes error: new displacement does not fit into s32 (%llx)\n", newdisp);
364 disp = (u8 *) dest + insn_offset_displacement(insn);
365 *(s32 *) disp = (s32) newdisp;
371 /* Prepare reljump or int3 right after instruction */
372 static int prepare_singlestep(kprobe_opcode_t *buf, struct kprobe *p,
375 int len = insn->length;
377 if (!IS_ENABLED(CONFIG_PREEMPTION) &&
378 !p->post_handler && can_boost(insn, p->addr) &&
379 MAX_INSN_SIZE - len >= JMP32_INSN_SIZE) {
381 * These instructions can be executed directly if it
382 * jumps back to correct address.
384 synthesize_reljump(buf + len, p->ainsn.insn + len,
385 p->addr + insn->length);
386 len += JMP32_INSN_SIZE;
387 p->ainsn.boostable = 1;
389 /* Otherwise, put an int3 for trapping singlestep */
390 if (MAX_INSN_SIZE - len < INT3_INSN_SIZE)
393 buf[len] = INT3_INSN_OPCODE;
394 len += INT3_INSN_SIZE;
400 /* Make page to RO mode when allocate it */
401 void *alloc_insn_page(void)
405 page = module_alloc(PAGE_SIZE);
409 set_vm_flush_reset_perms(page);
411 * First make the page read-only, and only then make it executable to
412 * prevent it from being W+X in between.
414 set_memory_ro((unsigned long)page, 1);
417 * TODO: Once additional kernel code protection mechanisms are set, ensure
418 * that the page was not maliciously altered and it is still zeroed.
420 set_memory_x((unsigned long)page, 1);
425 /* Kprobe x86 instruction emulation - only regs->ip or IF flag modifiers */
427 static void kprobe_emulate_ifmodifiers(struct kprobe *p, struct pt_regs *regs)
429 switch (p->ainsn.opcode) {
431 regs->flags &= ~(X86_EFLAGS_IF);
434 regs->flags |= X86_EFLAGS_IF;
436 case 0x9c: /* pushf */
437 int3_emulate_push(regs, regs->flags);
439 case 0x9d: /* popf */
440 regs->flags = int3_emulate_pop(regs);
443 regs->ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
445 NOKPROBE_SYMBOL(kprobe_emulate_ifmodifiers);
447 static void kprobe_emulate_ret(struct kprobe *p, struct pt_regs *regs)
449 int3_emulate_ret(regs);
451 NOKPROBE_SYMBOL(kprobe_emulate_ret);
453 static void kprobe_emulate_call(struct kprobe *p, struct pt_regs *regs)
455 unsigned long func = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
457 func += p->ainsn.rel32;
458 int3_emulate_call(regs, func);
460 NOKPROBE_SYMBOL(kprobe_emulate_call);
462 static nokprobe_inline
463 void __kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs, bool cond)
465 unsigned long ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size;
468 ip += p->ainsn.rel32;
469 int3_emulate_jmp(regs, ip);
472 static void kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs)
474 __kprobe_emulate_jmp(p, regs, true);
476 NOKPROBE_SYMBOL(kprobe_emulate_jmp);
478 static const unsigned long jcc_mask[6] = {
482 [3] = X86_EFLAGS_CF | X86_EFLAGS_ZF,
487 static void kprobe_emulate_jcc(struct kprobe *p, struct pt_regs *regs)
489 bool invert = p->ainsn.jcc.type & 1;
492 if (p->ainsn.jcc.type < 0xc) {
493 match = regs->flags & jcc_mask[p->ainsn.jcc.type >> 1];
495 match = ((regs->flags & X86_EFLAGS_SF) >> X86_EFLAGS_SF_BIT) ^
496 ((regs->flags & X86_EFLAGS_OF) >> X86_EFLAGS_OF_BIT);
497 if (p->ainsn.jcc.type >= 0xe)
498 match = match && (regs->flags & X86_EFLAGS_ZF);
500 __kprobe_emulate_jmp(p, regs, (match && !invert) || (!match && invert));
502 NOKPROBE_SYMBOL(kprobe_emulate_jcc);
504 static void kprobe_emulate_loop(struct kprobe *p, struct pt_regs *regs)
508 if (p->ainsn.loop.type != 3) { /* LOOP* */
509 if (p->ainsn.loop.asize == 32)
510 match = ((*(u32 *)®s->cx)--) != 0;
512 else if (p->ainsn.loop.asize == 64)
513 match = ((*(u64 *)®s->cx)--) != 0;
516 match = ((*(u16 *)®s->cx)--) != 0;
518 if (p->ainsn.loop.asize == 32)
519 match = *(u32 *)(®s->cx) == 0;
521 else if (p->ainsn.loop.asize == 64)
522 match = *(u64 *)(®s->cx) == 0;
525 match = *(u16 *)(®s->cx) == 0;
528 if (p->ainsn.loop.type == 0) /* LOOPNE */
529 match = match && !(regs->flags & X86_EFLAGS_ZF);
530 else if (p->ainsn.loop.type == 1) /* LOOPE */
531 match = match && (regs->flags & X86_EFLAGS_ZF);
533 __kprobe_emulate_jmp(p, regs, match);
535 NOKPROBE_SYMBOL(kprobe_emulate_loop);
537 static const int addrmode_regoffs[] = {
538 offsetof(struct pt_regs, ax),
539 offsetof(struct pt_regs, cx),
540 offsetof(struct pt_regs, dx),
541 offsetof(struct pt_regs, bx),
542 offsetof(struct pt_regs, sp),
543 offsetof(struct pt_regs, bp),
544 offsetof(struct pt_regs, si),
545 offsetof(struct pt_regs, di),
547 offsetof(struct pt_regs, r8),
548 offsetof(struct pt_regs, r9),
549 offsetof(struct pt_regs, r10),
550 offsetof(struct pt_regs, r11),
551 offsetof(struct pt_regs, r12),
552 offsetof(struct pt_regs, r13),
553 offsetof(struct pt_regs, r14),
554 offsetof(struct pt_regs, r15),
558 static void kprobe_emulate_call_indirect(struct kprobe *p, struct pt_regs *regs)
560 unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];
562 int3_emulate_call(regs, regs_get_register(regs, offs));
564 NOKPROBE_SYMBOL(kprobe_emulate_call_indirect);
566 static void kprobe_emulate_jmp_indirect(struct kprobe *p, struct pt_regs *regs)
568 unsigned long offs = addrmode_regoffs[p->ainsn.indirect.reg];
570 int3_emulate_jmp(regs, regs_get_register(regs, offs));
572 NOKPROBE_SYMBOL(kprobe_emulate_jmp_indirect);
574 static int prepare_emulation(struct kprobe *p, struct insn *insn)
576 insn_byte_t opcode = insn->opcode.bytes[0];
581 case 0x9c: /* pushfl */
582 case 0x9d: /* popf/popfd */
584 * IF modifiers must be emulated since it will enable interrupt while
585 * int3 single stepping.
587 p->ainsn.emulate_op = kprobe_emulate_ifmodifiers;
588 p->ainsn.opcode = opcode;
590 case 0xc2: /* ret/lret */
594 p->ainsn.emulate_op = kprobe_emulate_ret;
596 case 0x9a: /* far call absolute -- segment is not supported */
597 case 0xea: /* far jmp absolute -- segment is not supported */
598 case 0xcc: /* int3 */
599 case 0xcf: /* iret -- in-kernel IRET is not supported */
602 case 0xe8: /* near call relative */
603 p->ainsn.emulate_op = kprobe_emulate_call;
604 if (insn->immediate.nbytes == 2)
605 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
607 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
609 case 0xeb: /* short jump relative */
610 case 0xe9: /* near jump relative */
611 p->ainsn.emulate_op = kprobe_emulate_jmp;
612 if (insn->immediate.nbytes == 1)
613 p->ainsn.rel32 = *(s8 *)&insn->immediate.value;
614 else if (insn->immediate.nbytes == 2)
615 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
617 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
620 /* 1 byte conditional jump */
621 p->ainsn.emulate_op = kprobe_emulate_jcc;
622 p->ainsn.jcc.type = opcode & 0xf;
623 p->ainsn.rel32 = *(char *)insn->immediate.bytes;
626 opcode = insn->opcode.bytes[1];
627 if ((opcode & 0xf0) == 0x80) {
628 /* 2 bytes Conditional Jump */
629 p->ainsn.emulate_op = kprobe_emulate_jcc;
630 p->ainsn.jcc.type = opcode & 0xf;
631 if (insn->immediate.nbytes == 2)
632 p->ainsn.rel32 = *(s16 *)&insn->immediate.value;
634 p->ainsn.rel32 = *(s32 *)&insn->immediate.value;
635 } else if (opcode == 0x01 &&
636 X86_MODRM_REG(insn->modrm.bytes[0]) == 0 &&
637 X86_MODRM_MOD(insn->modrm.bytes[0]) == 3) {
638 /* VM extensions - not supported */
642 case 0xe0: /* Loop NZ */
643 case 0xe1: /* Loop */
644 case 0xe2: /* Loop */
645 case 0xe3: /* J*CXZ */
646 p->ainsn.emulate_op = kprobe_emulate_loop;
647 p->ainsn.loop.type = opcode & 0x3;
648 p->ainsn.loop.asize = insn->addr_bytes * 8;
649 p->ainsn.rel32 = *(s8 *)&insn->immediate.value;
653 * Since the 0xff is an extended group opcode, the instruction
654 * is determined by the MOD/RM byte.
656 opcode = insn->modrm.bytes[0];
657 if ((opcode & 0x30) == 0x10) {
658 if ((opcode & 0x8) == 0x8)
659 return -EOPNOTSUPP; /* far call */
660 /* call absolute, indirect */
661 p->ainsn.emulate_op = kprobe_emulate_call_indirect;
662 } else if ((opcode & 0x30) == 0x20) {
663 if ((opcode & 0x8) == 0x8)
664 return -EOPNOTSUPP; /* far jmp */
665 /* jmp near absolute indirect */
666 p->ainsn.emulate_op = kprobe_emulate_jmp_indirect;
670 if (insn->addr_bytes != sizeof(unsigned long))
671 return -EOPNOTSUPP; /* Don't support different size */
672 if (X86_MODRM_MOD(opcode) != 3)
673 return -EOPNOTSUPP; /* TODO: support memory addressing */
675 p->ainsn.indirect.reg = X86_MODRM_RM(opcode);
677 if (X86_REX_B(insn->rex_prefix.value))
678 p->ainsn.indirect.reg += 8;
684 p->ainsn.size = insn->length;
689 static int arch_copy_kprobe(struct kprobe *p)
692 kprobe_opcode_t buf[MAX_INSN_SIZE];
695 /* Copy an instruction with recovering if other optprobe modifies it.*/
696 len = __copy_instruction(buf, p->addr, p->ainsn.insn, &insn);
700 /* Analyze the opcode and setup emulate functions */
701 ret = prepare_emulation(p, &insn);
705 /* Add int3 for single-step or booster jmp */
706 len = prepare_singlestep(buf, p, &insn);
710 /* Also, displacement change doesn't affect the first byte */
713 p->ainsn.tp_len = len;
714 perf_event_text_poke(p->ainsn.insn, NULL, 0, buf, len);
716 /* OK, write back the instruction(s) into ROX insn buffer */
717 text_poke(p->ainsn.insn, buf, len);
722 int arch_prepare_kprobe(struct kprobe *p)
726 if (alternatives_text_reserved(p->addr, p->addr))
729 if (!can_probe((unsigned long)p->addr))
732 memset(&p->ainsn, 0, sizeof(p->ainsn));
734 /* insn: must be on special executable page on x86. */
735 p->ainsn.insn = get_insn_slot();
739 ret = arch_copy_kprobe(p);
741 free_insn_slot(p->ainsn.insn, 0);
742 p->ainsn.insn = NULL;
748 void arch_arm_kprobe(struct kprobe *p)
750 u8 int3 = INT3_INSN_OPCODE;
752 text_poke(p->addr, &int3, 1);
754 perf_event_text_poke(p->addr, &p->opcode, 1, &int3, 1);
757 void arch_disarm_kprobe(struct kprobe *p)
759 u8 int3 = INT3_INSN_OPCODE;
761 perf_event_text_poke(p->addr, &int3, 1, &p->opcode, 1);
762 text_poke(p->addr, &p->opcode, 1);
766 void arch_remove_kprobe(struct kprobe *p)
769 /* Record the perf event before freeing the slot */
770 perf_event_text_poke(p->ainsn.insn, p->ainsn.insn,
771 p->ainsn.tp_len, NULL, 0);
772 free_insn_slot(p->ainsn.insn, p->ainsn.boostable);
773 p->ainsn.insn = NULL;
777 static nokprobe_inline void
778 save_previous_kprobe(struct kprobe_ctlblk *kcb)
780 kcb->prev_kprobe.kp = kprobe_running();
781 kcb->prev_kprobe.status = kcb->kprobe_status;
782 kcb->prev_kprobe.old_flags = kcb->kprobe_old_flags;
783 kcb->prev_kprobe.saved_flags = kcb->kprobe_saved_flags;
786 static nokprobe_inline void
787 restore_previous_kprobe(struct kprobe_ctlblk *kcb)
789 __this_cpu_write(current_kprobe, kcb->prev_kprobe.kp);
790 kcb->kprobe_status = kcb->prev_kprobe.status;
791 kcb->kprobe_old_flags = kcb->prev_kprobe.old_flags;
792 kcb->kprobe_saved_flags = kcb->prev_kprobe.saved_flags;
795 static nokprobe_inline void
796 set_current_kprobe(struct kprobe *p, struct pt_regs *regs,
797 struct kprobe_ctlblk *kcb)
799 __this_cpu_write(current_kprobe, p);
800 kcb->kprobe_saved_flags = kcb->kprobe_old_flags
801 = (regs->flags & X86_EFLAGS_IF);
804 void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
806 unsigned long *sara = stack_addr(regs);
808 ri->ret_addr = (kprobe_opcode_t *) *sara;
811 /* Replace the return addr with trampoline addr */
812 *sara = (unsigned long) &__kretprobe_trampoline;
814 NOKPROBE_SYMBOL(arch_prepare_kretprobe);
816 static void kprobe_post_process(struct kprobe *cur, struct pt_regs *regs,
817 struct kprobe_ctlblk *kcb)
819 if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) {
820 kcb->kprobe_status = KPROBE_HIT_SSDONE;
821 cur->post_handler(cur, regs, 0);
824 /* Restore back the original saved kprobes variables and continue. */
825 if (kcb->kprobe_status == KPROBE_REENTER)
826 restore_previous_kprobe(kcb);
828 reset_current_kprobe();
830 NOKPROBE_SYMBOL(kprobe_post_process);
832 static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
833 struct kprobe_ctlblk *kcb, int reenter)
835 if (setup_detour_execution(p, regs, reenter))
838 #if !defined(CONFIG_PREEMPTION)
839 if (p->ainsn.boostable) {
840 /* Boost up -- we can execute copied instructions directly */
842 reset_current_kprobe();
844 * Reentering boosted probe doesn't reset current_kprobe,
845 * nor set current_kprobe, because it doesn't use single
848 regs->ip = (unsigned long)p->ainsn.insn;
853 save_previous_kprobe(kcb);
854 set_current_kprobe(p, regs, kcb);
855 kcb->kprobe_status = KPROBE_REENTER;
857 kcb->kprobe_status = KPROBE_HIT_SS;
859 if (p->ainsn.emulate_op) {
860 p->ainsn.emulate_op(p, regs);
861 kprobe_post_process(p, regs, kcb);
865 /* Disable interrupt, and set ip register on trampoline */
866 regs->flags &= ~X86_EFLAGS_IF;
867 regs->ip = (unsigned long)p->ainsn.insn;
869 NOKPROBE_SYMBOL(setup_singlestep);
872 * Called after single-stepping. p->addr is the address of the
873 * instruction whose first byte has been replaced by the "int3"
874 * instruction. To avoid the SMP problems that can occur when we
875 * temporarily put back the original opcode to single-step, we
876 * single-stepped a copy of the instruction. The address of this
877 * copy is p->ainsn.insn. We also doesn't use trap, but "int3" again
878 * right after the copied instruction.
879 * Different from the trap single-step, "int3" single-step can not
880 * handle the instruction which changes the ip register, e.g. jmp,
881 * call, conditional jmp, and the instructions which changes the IF
882 * flags because interrupt must be disabled around the single-stepping.
883 * Such instructions are software emulated, but others are single-stepped
886 * When the 2nd "int3" handled, the regs->ip and regs->flags needs to
887 * be adjusted, so that we can resume execution on correct code.
889 static void resume_singlestep(struct kprobe *p, struct pt_regs *regs,
890 struct kprobe_ctlblk *kcb)
892 unsigned long copy_ip = (unsigned long)p->ainsn.insn;
893 unsigned long orig_ip = (unsigned long)p->addr;
895 /* Restore saved interrupt flag and ip register */
896 regs->flags |= kcb->kprobe_saved_flags;
897 /* Note that regs->ip is executed int3 so must be a step back */
898 regs->ip += (orig_ip - copy_ip) - INT3_INSN_SIZE;
900 NOKPROBE_SYMBOL(resume_singlestep);
903 * We have reentered the kprobe_handler(), since another probe was hit while
904 * within the handler. We save the original kprobes variables and just single
905 * step on the instruction of the new probe without calling any user handlers.
907 static int reenter_kprobe(struct kprobe *p, struct pt_regs *regs,
908 struct kprobe_ctlblk *kcb)
910 switch (kcb->kprobe_status) {
911 case KPROBE_HIT_SSDONE:
912 case KPROBE_HIT_ACTIVE:
914 kprobes_inc_nmissed_count(p);
915 setup_singlestep(p, regs, kcb, 1);
918 /* A probe has been hit in the codepath leading up to, or just
919 * after, single-stepping of a probed instruction. This entire
920 * codepath should strictly reside in .kprobes.text section.
921 * Raise a BUG or we'll continue in an endless reentering loop
922 * and eventually a stack overflow.
924 pr_err("Unrecoverable kprobe detected.\n");
928 /* impossible cases */
935 NOKPROBE_SYMBOL(reenter_kprobe);
937 static nokprobe_inline int kprobe_is_ss(struct kprobe_ctlblk *kcb)
939 return (kcb->kprobe_status == KPROBE_HIT_SS ||
940 kcb->kprobe_status == KPROBE_REENTER);
944 * Interrupts are disabled on entry as trap3 is an interrupt gate and they
945 * remain disabled throughout this function.
947 int kprobe_int3_handler(struct pt_regs *regs)
949 kprobe_opcode_t *addr;
951 struct kprobe_ctlblk *kcb;
956 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
958 * We don't want to be preempted for the entire duration of kprobe
959 * processing. Since int3 and debug trap disables irqs and we clear
960 * IF while singlestepping, it must be no preemptible.
963 kcb = get_kprobe_ctlblk();
964 p = get_kprobe(addr);
967 if (kprobe_running()) {
968 if (reenter_kprobe(p, regs, kcb))
971 set_current_kprobe(p, regs, kcb);
972 kcb->kprobe_status = KPROBE_HIT_ACTIVE;
975 * If we have no pre-handler or it returned 0, we
976 * continue with normal processing. If we have a
977 * pre-handler and it returned non-zero, that means
978 * user handler setup registers to exit to another
979 * instruction, we must skip the single stepping.
981 if (!p->pre_handler || !p->pre_handler(p, regs))
982 setup_singlestep(p, regs, kcb, 0);
984 reset_current_kprobe();
987 } else if (kprobe_is_ss(kcb)) {
988 p = kprobe_running();
989 if ((unsigned long)p->ainsn.insn < regs->ip &&
990 (unsigned long)p->ainsn.insn + MAX_INSN_SIZE > regs->ip) {
991 /* Most provably this is the second int3 for singlestep */
992 resume_singlestep(p, regs, kcb);
993 kprobe_post_process(p, regs, kcb);
998 if (*addr != INT3_INSN_OPCODE) {
1000 * The breakpoint instruction was removed right
1001 * after we hit it. Another cpu has removed
1002 * either a probepoint or a debugger breakpoint
1003 * at this address. In either case, no further
1004 * handling of this interrupt is appropriate.
1005 * Back up over the (now missing) int3 and run
1006 * the original instruction.
1008 regs->ip = (unsigned long)addr;
1010 } /* else: not a kprobe fault; let the kernel handle it */
1014 NOKPROBE_SYMBOL(kprobe_int3_handler);
1017 * When a retprobed function returns, this code saves registers and
1018 * calls trampoline_handler() runs, which calls the kretprobe's handler.
1022 ".global __kretprobe_trampoline\n"
1023 ".type __kretprobe_trampoline, @function\n"
1024 "__kretprobe_trampoline:\n"
1025 #ifdef CONFIG_X86_64
1026 /* Push a fake return address to tell the unwinder it's a kretprobe. */
1027 " pushq $__kretprobe_trampoline\n"
1029 /* Save the 'sp - 8', this will be fixed later. */
1033 " movq %rsp, %rdi\n"
1034 " call trampoline_handler\n"
1036 /* In trampoline_handler(), 'regs->flags' is copied to 'regs->sp'. */
1040 /* Push a fake return address to tell the unwinder it's a kretprobe. */
1041 " pushl $__kretprobe_trampoline\n"
1043 /* Save the 'sp - 4', this will be fixed later. */
1047 " movl %esp, %eax\n"
1048 " call trampoline_handler\n"
1050 /* In trampoline_handler(), 'regs->flags' is copied to 'regs->sp'. */
1055 ".size __kretprobe_trampoline, .-__kretprobe_trampoline\n"
1057 NOKPROBE_SYMBOL(__kretprobe_trampoline);
1059 * __kretprobe_trampoline() skips updating frame pointer. The frame pointer
1060 * saved in trampoline_handler() points to the real caller function's
1061 * frame pointer. Thus the __kretprobe_trampoline() doesn't have a
1062 * standard stack frame with CONFIG_FRAME_POINTER=y.
1063 * Let's mark it non-standard function. Anyway, FP unwinder can correctly
1064 * unwind without the hint.
1066 STACK_FRAME_NON_STANDARD_FP(__kretprobe_trampoline);
1068 /* This is called from kretprobe_trampoline_handler(). */
1069 void arch_kretprobe_fixup_return(struct pt_regs *regs,
1070 kprobe_opcode_t *correct_ret_addr)
1072 unsigned long *frame_pointer = ®s->sp + 1;
1074 /* Replace fake return address with real one. */
1075 *frame_pointer = (unsigned long)correct_ret_addr;
1079 * Called from __kretprobe_trampoline
1081 __used __visible void trampoline_handler(struct pt_regs *regs)
1083 unsigned long *frame_pointer;
1085 /* fixup registers */
1086 regs->cs = __KERNEL_CS;
1087 #ifdef CONFIG_X86_32
1090 regs->ip = (unsigned long)&__kretprobe_trampoline;
1091 regs->orig_ax = ~0UL;
1092 regs->sp += sizeof(long);
1093 frame_pointer = ®s->sp + 1;
1096 * The return address at 'frame_pointer' is recovered by the
1097 * arch_kretprobe_fixup_return() which called from the
1098 * kretprobe_trampoline_handler().
1100 kretprobe_trampoline_handler(regs, frame_pointer);
1103 * Copy FLAGS to 'pt_regs::sp' so that __kretprobe_trapmoline()
1104 * can do RET right after POPF.
1106 regs->sp = regs->flags;
1108 NOKPROBE_SYMBOL(trampoline_handler);
1110 int kprobe_fault_handler(struct pt_regs *regs, int trapnr)
1112 struct kprobe *cur = kprobe_running();
1113 struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
1115 if (unlikely(regs->ip == (unsigned long)cur->ainsn.insn)) {
1116 /* This must happen on single-stepping */
1117 WARN_ON(kcb->kprobe_status != KPROBE_HIT_SS &&
1118 kcb->kprobe_status != KPROBE_REENTER);
1120 * We are here because the instruction being single
1121 * stepped caused a page fault. We reset the current
1122 * kprobe and the ip points back to the probe address
1123 * and allow the page fault handler to continue as a
1124 * normal page fault.
1126 regs->ip = (unsigned long)cur->addr;
1129 * If the IF flag was set before the kprobe hit,
1132 regs->flags |= kcb->kprobe_old_flags;
1134 if (kcb->kprobe_status == KPROBE_REENTER)
1135 restore_previous_kprobe(kcb);
1137 reset_current_kprobe();
1142 NOKPROBE_SYMBOL(kprobe_fault_handler);
1144 int __init arch_populate_kprobe_blacklist(void)
1146 return kprobe_add_area_blacklist((unsigned long)__entry_text_start,
1147 (unsigned long)__entry_text_end);
1150 int __init arch_init_kprobes(void)
1155 int arch_trampoline_kprobe(struct kprobe *p)
projects / linux-2.6-microblaze.git / blob